SecuritySnacks
Typo squatted domains around Shawn Johnson’s formula exchange
The nationwide formula shortage is nothing short of devastating but proceed with caution when searching for supply. We’re seeing many new domains registered in the last week around the term ‘babyformula’.
New typo squatting domains are attempting to steer traffic away from Shawn Johnson’s babyformulaexchange[.]com. Note in our screenshot the slight changes in spelling meant to confuse users:
A list of newly observed or registered domains
DomainTools is offering a new, free threat intelligence feed of newly observed or registered Ukraine-related domain names to help organizations monitor threats. Learn more and download here: https://ukraine-domains.domaintools.com/
A list of risky domains
Ukraine activity update for Feb 28: Ukraine-related activity has grown past calling out single domains. A list of high-risk domains from over the weekend is located at https://github.com/DomainTools/SecuritySnacks/blob/main/2022/Feb%2026-27%20risky%20domains.txt
Confirmed with Global Giving
As noted, we continue to see Ukraine-based fraud/scam domains appear on the Internet. In particular, we have confirmed with
@GlobalGiving that the domain globalgiving-ukraine[.]com, which was registered today, is a forgery.
Donation Sites
Please be mindful before donating to any domains claiming to help Ukraine. We are seeing many Ukraine-related sites created today, several taking donations for unspecified beneficiaries. See examples in thread below:
helpingukraine[.]org (created at 3:23PM Eastern, nothing on the site yet)
support-ukraine[.]eu - taking donations
donatetoukraine[.]org - set up to take donations, but site's broken
help-for-ukraine[.]eu - taking donations
supportukraine[.]net - taking donations
supportukraine[.]io - not taking donations yet
help-ukraine[.]org - not taking donations yet
Indicator List: log4j domains as of 12/15/21
What’s interesting here from the perspective of Internet infrastructure is that the domain registrations that are occurring, where the domain name contains the string “log4j,” seem to be following the pattern of Domain Blooms. A Domain Bloom is a pattern where the number of domains containing a specific n-gram (or, in more practical terms, a word or word fragment) rises above a previous baseline and remains higher for some period of time before tailing off to either the original baseline (in the case of relatively common words) or a new baseline (in the case of words basically new to the lexicon, such as “COVID”).
For defenders, the low numbers of log4j-themed domains thus far means that you’re not too likely, statistically speaking, to see traffic from your environment to one of these domains, and if you do, there’s no guarantee that you’ll hit a bad one.
Indicator List: log4j domains as of 12/15/21:
alanlog4j[.]xyz
ast-log4j-shell[.]es
canilog4j[.]com
dlog4j[.]cn
icanhazlog4j[.]com
ihatelog4j[.]com
lg4j[.]com
log4[.]dev
log4[.]org
log4j-check[.]com
log4j-fix[.]de
log4j-help[.]com
log4j-poc[.]com
log4j-test[.]xyz
log4j-testing[.]com
log4j[.]cc
log4j[.]co
log4j[.]co.kr
log4j[.]dev
log4j[.]fi
log4j[.]fun
log4j[.]help
log4j[.]io
log4j[.]is
log4j[.]it
log4j[.]link
log4j[.]live
log4j[.]ninja
log4j[.]online
log4j[.]pro
log4j[.]site
log4j[.]tk
log4j[.]top
log4j[.]xyz
log4j1[.]com
log4j2[.]cn
log4j2[.]com
log4j2[.]icu
log4j2[.]net
log4j2[.]store
log4jail[.]com
log4java[.]com
log4jay[.]com
log4jbug[.]com
log4jbugs[.]com
log4jcheck[.]com
log4jesus[.]com
log4jexploit[.]com
log4jfix[.]cf
log4jfix[.]com
log4jgear[.]com
log4jhack[.]com
log4jhelp[.]com
log4jmemes[.]com
log4jnerds[.]com
log4jrce[.]org
log4jscrape[.]com
log4jshell[.]com
log4jshirts[.]com
log4jsurvivor[.]com
log4jtest[.]co
log4jtest[.]tk
log4jtest[.]xyz
log4jvuln[.]com
log4jvulnerability[.]com
log4rj[.]com
lol4j[.]com
patchlog4j2live[.]xyz
testlog4j[.]com
vdelog4jcheck[.]click
zblog4jfinal[.]com
Some GitHub targeted phishing from @piffey with more new domains discovered today.
gjthub[.]app
gjthub[.]team
qlthub[.]support
All registered last night. Not on any infrastructure yet. 🙄
